b'    Federal Election Commission\n\n     Office of Inspector General\n\n\n\n\n               Final Report\n\n Compliance with the National Institute of\nStandards and Technology Security Controls\n              Cost Analysis\n\n             September 2014\n\n\n        Assignment No. OIG-14-03\n\x0c                                                  TABLE OF CONTENTS\n\n\n\n\nIntroduction ................................................................................................................................................. 3\nCompliance with NIST SP 800-53 ............................................................................................................. 7\nAPPENDIX A \xe2\x80\x93 Priority IT Control Selections ..................................................................................... 22\nAPPENDIX B \xe2\x80\x93 What are POAMs? ....................................................................................................... 29\nAPPENDIX C \xe2\x80\x93 What is FISMA ............................................................................................................. 31\nAPPENDIX D \xe2\x80\x93 Acronym Listing ........................................................................................................... 37\nAPPENDIX E - Resources........................................................................................................................ 39\nAppendix F - About Your Internal Controls .......................................................................................... 40\n\n\n\n\n                                                                                                                                                              2\n\x0c                                         INTRODUCTION\n\nCurrently, the Federal Election Commission (FEC) is exempt from complying with the Federal\nInformation Security Management Act (FISMA) of 2002, and due to this exemption, the agency\nhas not implemented many of the government-wide information technology (IT) security\nstandards. The Office of Inspector General (OIG) has been reporting since 2004 that the agency\nshould formally adopt the government-wide IT security standards to strengthen IT security at the\nagency.\n\nRecently, there have been breaches in security, which has brought negative attention to the FEC.\nThe OIG procured consulting services to conduct an analysis of the anticipated cost to the FEC\nto comply with:\n\n    a) The National Institute of Standards and Technology\xe2\x80\x99s (NIST) minimum best practice\n       information technology (IT) security standards that apply to all government agencies;\n\n    b) All other NIST IT security standards that are applicable to the FEC\xe2\x80\x99s business process\n       and associated system risk levels;\n\n    c) The FISMA Act of 2002; and\n\n    d) Any other applicable government-wide IT security standard that the agency has not\n       implemented.\n\nThe contractor selected for this effort was Your Internal Controls, LLC. Mr. Jack Heyman, of\nYour Internal Controls performed all of the work entailed in this endeavor. Mr. Heyman\nprepared a cost analysis work-plan that was reviewed and approved by the OIG. The\ndevelopment of the cost analysis included the following efforts:\n\n     \xef\x83\xbc Interviews with all key IT personnel.\n\n     \xef\x83\xbc Assess the levels of compliance with government-wide IT standards to ascertain what is\n       remaining, should the FEC decide to comply with NIST.\n\n     \xef\x83\xbc Obtain and review documentation (all IT policies and procedures for each of the systems\n       at FEC), external reports (e.g. SOC 1 reports).\n\n\n\n\n1\n A Service Organization Control (SOC) report is an internal control report on the outsourced services provided by a\nservice organization. The report provides valuable information that the user organizations need to assess the risks\nassociated with an outsourced service.\n                                                                                                                  3\n\x0c                           IT CONTROL DEFICIENCIES\nAs a result of the noted consulting services above, Your Internal Controls has identified\nsignificant issues and/or deficiencies that need immediate corrective action. These issues greatly\nimpact the agency\xe2\x80\x99s ability to adequately comply with government-wide IT standards. Those\nitems were as follows:\n\n    \xef\x83\xbc The FEC currently has an incomplete inventory 2 concerning the hardware, software, and\n      other elements relating to Information Technology. By having an incomplete inventory of\n      IT hardware and software, there may be unknown equipment attached to the network,\n      thereby exposing the agency to unforeseen risks. Furthermore, the lack of a proper\n      inventory may also result in the lack of properly deployed controls as the equipment is\n      not known to exist.\n\n    \xef\x83\xbc The FEC does not have adequate plans and processes in place to ensure that the mission\n      of the agency can still be carried out in the event of a disaster. Based on the review of\n      FEC\xe2\x80\x99s contingency documentation for this analysis, the documentation was noted as\n      outdated (more than 3 years old) and not in compliance with the required government\n      standards (e.g. NIST 800-34). In accordance with the OIG\xe2\x80\x99s January 2013 report on the\n      Inspection of the FEC\xe2\x80\x99s Disaster Recovery Plan and Continuity of Operations Plans, the\n      Information Technology Division (ITD) paid $277,506 from 2008 to 2010 on a\n      contractor to develop the agency\xe2\x80\x99s contingency plans; however, the plans were never\n      properly tested or fully implemented by IT management.\n\n    \xef\x83\xbc FEC lacks a current process to conduct an annual Privacy Impact Assessment 3 to\n         consider the data within each of the agency\xe2\x80\x99s systems. At the completion of this exercise,\n         the agency will be better informed as to which technical controls should be deployed to\n         protect the data residing on those respective systems.\n\nFEC System Inventory & Gap Analysis\n\nThe table below gives a summary analysis of the FEC\xe2\x80\x99s current state regarding compliance with\ngovernment-wide IT standards (NIST). As stated above, many IT personnel were interviewed as\nwell as representation from OGC; several IT documents (policies and procedures, contingency\ndocuments, system/application listing, etc.) were also reviewed. The review identified that the\ncurrent documentation either did not meet the requirements of best practice, the information was\n\n2\n  Due to the lack of inventory records, this cost analysis was based on agency size and the complexity of the FEC\xe2\x80\x99s\nsystems and business processes.\n3\n  Currently an outstanding recommendation from an OIG audit: 2010 Follow-up Audit of Privacy and Data\nProtection.\n                                                                                                                      4\n\x0coutdated, or the information did not exist. As such, none of the documentation obtained could be\nused to comply with NIST IT standards. In the table below, FEC\xe2\x80\x99s data and documentation was\nassessed against the following required standards:\n\n   \xe2\x80\xa2        Boundary Memo \xe2\x80\x93 document identifying the hardware and software that is in the\n            boundary of the respective system.\n   \xe2\x80\xa2        FIPS-199 Worksheet \xe2\x80\x93facilitates the identification of risk categorization for the\n            respective system.\n   \xe2\x80\xa2        PIA (Privacy Impact Assessments) \xe2\x80\x93an analysis of Personally Identifiable Information\n            and helps to identify if the controls deployed are commensurate with the risks of the\n            respective system.\n   \xe2\x80\xa2        SSP (System Security Plan) \xe2\x80\x93a document developed for each agency system where each\n            of the NIST 800-53 Revision 4 controls are addressed and described in terms of how each\n            control is deployed and implemented.\n   \xe2\x80\xa2        eAuthentication Worksheet \xe2\x80\x93facilitates the determination of which type of authentication\n            (i.e. dual factor authentication) should be used for the system.\n   \xe2\x80\xa2        ISCP (Information System Contingency Plan) \xe2\x80\x93describes all contingency related matters\n            for the system such as backups, restoration of data, alternate storage sites, etc.\n\n\n\n\n                                                            Boundary FIPS-199               eAuthentication\n       #                           System                    Memo Worksheet     PIA   SSP     Worksheet     ISCP\n       1      Comprizon                                        No       No      No     No         No         No\n       2      Enterprise Content Management                    No       No      No     No         No         No\n       3      Case Management                                  No       No      No     No         No         No\n       4      LAN                                              No       No      No     No         No         No\n       5      Electronic Distribution System                   No       No      No     No         No         No\n       6      Disclosure                                       No       No      No     No         No         No\n       7      Presidential Matching Funds                      No       No      No     No         No         No\n       8      PCs                                              No       No      No     No         No         No\n       9      WebTA                                            No       No      No     No         No         No\n       10     Mobile Iron (replaced the Blackberry servers)    No       No      No     No         No         No\n       11     Wireless network                                 No       No      No     No         No         No\n       12     Mobile Devices                                   No       No      No     No         No         No\n       13     ARSS                                             No       No      No     No         No         No\n\n\n\n\n                                                                                                                   5\n\x0c                     What is NIST and What are the Benefits?\n\nThe National Institute of Standards and Technology (NIST) is an agency within the Commerce\nDepartment and among its many responsibilities; it is tasked with aiding agencies in complying\nwith best practice IT standards in accordance with the agency\xe2\x80\x99s business processes via the\ndevelopment of various Special Publications (SP). These SP documents have the following\ndevelopment objectives:\n\n    \xef\x83\xbc Standards for categorizing information and information systems by mission impact;\n    \xef\x83\xbc Standards for minimum security requirements for information and information systems;\n    \xef\x83\xbc Guidance for selecting appropriate security controls for information systems;\n    \xef\x83\xbc Guidance for assessing security controls in information systems and determining\n      security control effectiveness;\n    \xef\x83\xbc Guidance for the security authorization of information systems; and\n    \xef\x83\xbc Guidance for monitoring the security controls and the security authorization of\n      information systems.\nEach of the SP 800 series documents has an \xe2\x80\x9cAuthority\xe2\x80\x9d section in the beginning of the\ndocument. This section describes the authority of the document as well as references specific\nlaws to which the agency will be complying with such as OMB A-130, which is applicable to the\nFEC.\n\nThe FEC will encounter many benefits from implementing government-wide IT security\nstandards that are widely used and understood throughout all of the federal government. NIST\nspecifically calls out some of those benefits as follows:\n\n\xef\x83\x98 The implementation of cost-effective, risk-based information security programs.\n\xef\x83\x98 The establishment of a level of security due diligence for federal agencies and contractors\n  supporting the federal government.\n\xef\x83\x98 More consistent and cost-effective application of security controls across the federal\n  information technology infrastructure.\n\xef\x83\x98 More consistent, comparable, and repeatable security control assessments.\n\xef\x83\x98 A better understanding of enterprise-wide mission risks resulting from the operation of\n  information systems.\n\xef\x83\x98 More complete, reliable, and trustworthy information for authorizing officials--facilitating\n  more informed security authorization decisions.\n\xef\x83\x98 More secure information systems within the federal government including the critical\n  infrastructure of the United States.\n\n\n                                                                                             6\n\x0cAlso, as NIST is responsible for creating and updating IT standards to ensure the federal\ngovernment has adequate IT controls, the FEC should also experience an increase in productivity\nand consistency as the agency will no longer have to create their own IT security standards.\n\nIn addition, FEC IT staff will have structured policies and procedures and can be more proactive\nin preventing IT issues rather than reactive, which consistently increases spending and limits\nresources. Although every IT security issue cannot be prevented, the FEC is assured to have a\nmore robust IT security program to protect the agency\xe2\x80\x99s systems and information if the NIST standards\nare adequately implemented.\n\n                    COMPLIANCE WITH NIST SP 800-53\n\nThe agency must document and deploy controls commensurate with the security categorization\nfor their systems (Low, Moderate, or High). The controls for Low, Moderate, and High systems\nare located within NIST SP 800-53 Revision 4. Upon interview with IT personnel, as well as\nreview of IT documentation, it was determined that all of FEC\xe2\x80\x99s systems would most likely\ncategorize as a Moderate system.\n\nThe controls are broken out by what NIST refers to as control families. Additionally, each family\nhas controls and control enhancements. The control enhancements are additional controls\nneeded based on a system risk categorization and are denoted in parenthesis when reviewing the\nNIST SP 800-53.\n\nThe next page shows a listing of the NIST 800-53 families showing the number of controls and\ncontrol enhancements that are required for the Moderate security categorizations applicable to\nthe FEC. In addition, the priority column represents those controls and applicable control\nenhancements that are considered significant in terms of the controls that should be deployed by\nFEC immediately based on this cost analysis.\n\n\n\n\n                                                                                                   7\n\x0c                        NIST Moderate IT Controls Table\n                                                          Control               Priority\n#             Control Families           Controls       Enhancements            Controls\n 1 Access Control                            17               18                    9\n 2 Awareness and Training                    4                 1                    4\n 3 Audit and Accountability                  11                7                    5\n   Security Assessment and\n 4 Authorization                             7                 3                    6\n 5 Configuration Management                  11               10                    8\n 6 Contingency Planning                      9                13                    5\n 7 Identification and Authentication         8                14                    5\n 8 Incident Response                         8                 4                    4\n 9 Maintenance                               6                 3                    2\n10 Media Protection                          7                 2                    2\n   Physical and Environmental\n11 Protection                                16                2                    12\n12 Planning                                  4                 2                    3\n13 Personnel Security                        8                 0                    3\n14 Risk Assessment                           4                 3                    4\n15 System and Services Acquisition           9                 5                    4\n   System and Communications\n16 Protection                                19                5                    6\n17 System and Information Integrity          11               10                    5\n18 Program Management                        16                0                    10\n19 Privacy                                   26                0                    21\n                                            201               102                  118\n\n\nThe next page provides a brief description explaining the benefits and risks for each of the\nfamilies contained within NIST 800-53 Revision 4. For further details of the specific controls\nthat are deemed priority, please refer to Appendix A within this document.\n\n\n\n\n                                                                                            8\n\x0cAccess Control family\n\nIf access rights are not set appropriately, then users may have privileges to agency information that\nexceed their approved rights. As an example, the FEC encountered a breach related to access controls in\nFY 2012 when a staff person in the Office of General Counsel was granted unauthorized access to\nsensitive human resource documents. It is imperative that data be protected in a manner that is\ncommensurate with the risk it poses.\n\nAwareness and Training family\n\nSecurity awareness training is essentially providing training to new employees and contractors and also\nproviding annual refresher training. This control decreases the risk that users will be uninformed about\ntheir rights and responsibilities when granted access to agency systems. The FEC has implemented\nsecurity awareness training for staff and contractors, and also requires annual security awareness\ntraining for all FEC staff and contractors. In addition, FEC has two levels of security awareness\ntraining: supervisory and staff level. Also, records are maintained of the security training.\nHowever, the FEC does not have adequate security-related technical training specifically\ntailored for those persons with assigned security roles (i.e. system/network administrators,\nconfiguration management, etc.)\n\nAudit and Accountability family\n\nAgencies may have various preventive controls in place, however without detective controls such as\nauditing, administrators will not have uninformed processes to react appropriately to security breaches\nand violations. The auditing control family ensures there are appropriate audit events captured timely; and\nthat these events are reviewed and corrective actions are taken so that security breaches are managed\neffectively. Auditing in this context refers to capturing the data for specific auditable events such as when\na user logs on or logs off from the system, or notifications of unauthorized access attempts.\n\nSecurity Assessment and Authorization family\n\nThis control family concerns documentation of NIST 800-53 controls (see table on page 8) and then\nassessing those controls to ensure they are operating effectively. Without the proper documentation of\ncontrols for each system, there is the risk that controls will not be deployed correctly, thereby exposing\nthe agency to unforeseen risks.\n\nConfiguration Management family\n\nAll changes, whether they are system changes, patches, new releases, etc., are managed by this control\nfamily to ensure that changes are made in a controlled environment. If changes are made to any of the\nFEC systems without positive test results, approvals, or proper segregation of duties, then the agency runs\nthe risk that those unauthorized changes could result in inappropriate changes being made. Those\ninappropriate changes may result in exposures to vulnerabilities or access control weaknesses to the\nrespective systems.\n\n                                                                                                           9\n\x0cContingency Planning family\nIn the event of a disaster that prohibits access to the FEC building or causes data to be inoperable or\ncorrupted, the agency needs processes and controls in place to ensure essential personnel can continue to\nwork and carryout the mission of the agency. This control family focuses on the importance of having\nbackups taken, procedures for restoring data, and testing the data to ensure there was no adverse actions\nprior to restoring the data. Without appropriate backups and testing of those backups, data may become\nlost forever without proper controls within this family.\n\nIdentification and Authentication family\n\nThis family addresses the management of IDs and the complexity of passwords. All agencies need strong\nidentification and authentication controls as a first line of defense to prevent adverse actions on agency\nsystems. It has been noted that the FEC utilizes a PIV card with a unique pin number, along with a\nPGP passphrase for accessing the agency\xe2\x80\x99s network, and those implemented controls are applicable\nto this control family.\n\nIncident Response family\n\nThe controls for Incident Response deals with how IT security incidents are captured, tracked, and\nmonitored. This control family is also concerned with how risk is assessed and modified as a result of the\nnumber and types of incidents that the agency faces. It is very important that the agency captures each\nincident and then makes the necessary security changes to the systems and network based on those\nincidents. FEC is in the process of making security changes to address the previous system attacks\nby the Chinese; however, management currently has outstanding recommendations that have not\nbeen fully implemented from 2012 by the contractor hired by ITD to assess the intrusions.\n\nMaintenance family\n\nIn order to manage when FEC hardware will become inoperable, it is important to perform periodic\nmaintenance. This family covers the area of proper maintenance and how to control who performs the\nmaintenance, from which locations, and how it is performed. It is also important to control who cleans\n(i.e. removing agency data) the equipment if it is being sent off-site to prevent confidential data regarding\nthe agency or agency personnel from being transferred to the public or others who are not privileged to\nthe information.\n\nMedia Protection family\n\nThis control family addresses security controls over storing data on CDs, USB drives, and other media\ndevices so that if they are lost or stolen, the agency\xe2\x80\x99s data cannot be compromised.\n\nPhysical and Environmental Protection family\n\nData may be protected with the best logical controls (e.g. access controls), however, the data should also\nbe protected physically and from the elements of nature. Good physical controls need to be in place to\n\n                                                                                                          10\n\x0censure that the data is protected physically from any fraud, waste, abuse, and safety hazards. The data\nshould be in a separate facility with physical controls determining who can and cannot access the data.\n\nPlanning family\n\nThis control family ensures that all controls are documented correctly in a System Security Plan for each\nsystem at the FEC. The Security Plan should list each of the NIST 800-53 controls that should be\nexplained with respect to the deployment of those controls for each system. Currently the FEC does not\nhave a formalized Security Plan for each system at the FEC. This lack of control increases the\nlikelihood that controls are not deployed and/or implemented correctly, and the agency is at risk for\nnumerous exposures to vulnerabilities as the systems residing on the network will likely be open for\nattack.\n\nThese controls also addresses the Rules of Behavior and requires each employee and contractor to have\nread, understood, and signed off on their rights and responsibilities when accessing agency data.\n\nPersonnel Security family\n\nThis control family is concerned with performing background checks, deploying sanctions for those\nemployees violating policies, and ensuring personnel and contractors have signed pertinent agency\nagreements. When an agency performs background checks for prospective employees and contractors, as\nwell as periodically (e.g. every 3 years) for those currently accessing agency systems, this reduces the risk\nof having an unethical person with adversarial intentions accessing the network and agency resources. It\nshall also be noted that this control family is usually managed by the Human Resources personnel in\nconjunction with IT personnel for system access.\n\nRisk Assessment family\n\nThis control family addresses the risk assessment process for systems at the agency. Each system poses a\ndifferent level of risk. Agencies with higher risk should have more and stronger controls, whereas systems\nwith less risk will have fewer controls. In order to identify what controls to deploy to be compliant with\ngovernment-wide standards, it is necessary to assess risks for each system.\n\nSystem and Services Acquisition family\n\nThis control family is similar to the Configuration Management family, however these controls address\nspecific concerns for developers and how they manage configuration changes prior to deploying the\nchange into production. Developers must appropriately test changes and migrate those changes properly\nso that agency personnel will be without interruption when working on agency systems.\n\nSystem and Communications Protection family\n\nThis control family addresses encryption to ensure that the latest federal encryption requirements are\nbeing complied with. Additionally, this family also addresses firewalls and other perimeter security to\nensure that the logical walls surrounding the network have adequate security posture. It is important for\n\n                                                                                                          11\n\x0cthis data to be protected when at rest (e.g. residing on a server) and when in transit (e.g. someone entering\ndata from their computer to a server).\n\nSystem and Information Integrity family\n\nThis control family addresses how to identify, manage and eradicate flaws, malicious code, and how to\nhandle errors. In the event that a system has a flaw or malicious code, this could pose serious risk to the\nagency\xe2\x80\x99s assets. These controls also address the retention of data to comply with various privacy\nregulations.\n\nProgram Management family\n\nThis control family directs the management of the agency to consider and deploy measures to prevent\nagainst insider threats, track any deficiencies and have them remediated timely, as well as an array of\nother control environment level measures to ensure that the agency is considering a risk based, top-down\napproach for deploying security. The overall benefit of this family is that it forces the agency to have a\nholistic view of the systems and risks they pose to the agency\xe2\x80\x99s assets and resources.\n\nPrivacy family\n\nThis control family is essential because the FEC must comply with an array of privacy regulations as a\nfederal executive agency. This control family represents a set of controls that help to address those\nprivacy regulations such as creating and maintaining Privacy Impact Assessments (PIA) 4, posting them\non the agency\xe2\x80\x99s website, redacting data from the PIAs if they pose to be too sensitive, complaint\nmanagement in the event that a user has a complaint about their privacy concerns, and more.\n\n\n\n\n4\n The OIG currently has an outstanding recommendation related to PIA\xe2\x80\x99s in their 2010 Audit Follow-up of Privacy\nand Data Protection audit report that has not been addressed by the Co-Chief Privacy Officers.\n                                                                                                                 12\n\x0c                    Costs of Complying with Applicable NIST Standards 5\nThe estimated costs of complying with NIST control standards took into account that IT\nmanagement identified that all systems in scope will result in being a Moderate categorization.\nThe tables that follow identify the estimated cost to the FEC procuring services from a small,\nmedium, or large contracting firm to complete the tasks necessary for the FEC to be in\ncompliance with applicable NIST standards. In addition, the tables illustrate the cost of\nimplementing: 1) all moderate controls applicable to the FEC and 2) only those controls\nidentified via this analysis as \xe2\x80\x9cpriority controls\xe2\x80\x9d at the moderate level. Also, the tables below\ninclude hour estimates for complying with the standards. In the event that the agency decides to\nperform some or all of these tasks in-house, then ITD can merely quantify the number of hours\nper task, individually for each system. The cost savings would also be reflective via the tables\nbelow. However, it is the opinion of Your Internal Controls, LLC that an external contractor\nshould be used for the implementation of these tasks. Typically, a contractor will have had years\nof experience in preparing the required documents and testing the NIST 800-53 controls. The\nexperience of preparing the NIST related documentation, along with testing and remediating\ncontrol deficiencies lends itself to a more efficient approach via the use of an external contractor.\n\nThe tables that follow depict the various scenarios and their associated cost estimate. The\nfollowing bullets give a description of the table columns:\n\n       \xe2\x80\xa2   Type: identifies the FEC\xe2\x80\x99s system as either a Major Application \xe2\x80\x93 MA, or General\n           Support System \xe2\x80\x93 GSS.\n       \xe2\x80\xa2   Complete Inv. Boundary, assess risks & identify connections: denotes the hours to\n           complete an assessment of each system\xe2\x80\x99s boundary (in terms of risk), as well as identify\n           the complete IT system inventory (e.g. hardware, software, etc.).\n       \xe2\x80\xa2   FIPS-199 denotes the hours to complete an assessment to ensure that all systems are in\n           fact a Moderate risk system as identified by IT management.\n       \xe2\x80\xa2   eAuth denotes the hours necessary to ascertain the level of depth that is commensurate\n           with the risks of that system, to deploy the correct Identification and Authentication\n           controls\n       \xe2\x80\xa2   PIA (Privacy Impact Assessment) denotes the hours needed to identify the data concerns\n           and appropriate controls to be deployed to ensure that risks are commensurate with\n           privacy concerns.\n       \xe2\x80\xa2   SSP & ISCP (System Security Plan & Information System Contingency Plan) denotes\n           the hours to document each plan for each system\n\n\n\n5\n    All costs are estimates based the professional knowledge, skills, and experience of Your Internal Controls, LLC\n                                                                                                                      13\n\x0c   \xe2\x80\xa2   Control Assessment: denotes the hours to assess the SSP & ISCP controls to identify\n       any risks.\n   \xe2\x80\xa2   Remediation: denotes the hours to remediate any identified risks from the control\n       assessment\n   \xe2\x80\xa2   Develop SAR: denotes the hours to document any risk that could not be immediately\n       remediated.\n\n***The hours for remediation and SAR development is contingent on the number of deficiencies\nnoted from the controls assessment.\n\nCost Estimate Tables\n\nThe following page lists various tables depicting estimated bill rates, as well as hourly estimates\nfor the tasks in complying with NIST. The billing rates between small, medium, and large\ncontracting firms, as well as the comparison between hourly estimates is based on Your Internal\nControls, LLC\xe2\x80\x99s review of over 50 contracting engagements where small, medium, and large\nfirms were awarded contracts to perform the same types of engagements requiring review;\ntesting; and/or implementing NIST standards. For instance, it is typical practice that larger firms\nwill lower the bill rates to account for the larger hourly estimates based on the level of project\nmanagement and oversight involved with the project when compared to a smaller firm that has\nless concurring reviews and oversight. As an example, in the tables that follow, you will note\nthat the estimated billing rate for a small contract firm and a large contract firm is the same, but a\nlarge difference in the estimated hours for completion, which reflects the different levels of\noversight.\n\n\n\n\n                                                                                                   14\n\x0c                                                   Small Contract Firm Costs\nAll Moderate Controls\n\n\n                                                 Total       Billing                   Complete inv. boundary, assess                                Controls              Develop\n  #                        System       Type     Hours        Rate          Cost        risks, & identify connections FIPS-199 eAuth PIA SSP & ISCP Assessment Remediation SAR\n  1    Comprizon                         MA      255.6     $       125   $ 31,950.00                 5.6                  8      2 8        140          56        28         8\n  2    Enterprise Content Management     MA      313.6     $       125   $ 39,200.00                 5.6                  8      2 10 175                70        35         8\n  3    Case Management                   MA      529.5     $       125   $ 66,187.50                  21                  8      8 12 315               105       52.5        8\n  4    LAN                              GSS       726      $       125   $ 90,750.00                  56                  8      8 16 420               140        70         8\n  5    Electronic Distribution System    MA       489      $       125   $ 61,125.00                  14                  8      8 10 315                84        42         8\n  6    Disclosure                        MA      588.5     $       125   $ 73,562.50                  42                  8      8 15 350               105       52.5        8\n  7    Presidential Matching Funds       MA       336      $       125   $ 42,000.00                  14                  8      4 8        210          56        28         8\n  8    PCs                               MA      354.4     $       125   $ 44,300.00                 22.4                 8      0 8        245          42        21         8\n  9    WebTA                             MA      218.1     $       125   $ 27,262.50                 5.6                  8      0 4        140          35       17.5        8\n  10   Mobile Iron                      GSS      331.2     $       125   $ 41,400.00                 11.2                 8      4 6        210          56        28         8\n  11   Wireless network                  MA      238.9     $       125   $ 29,862.50                 22.4                 8      0 8        140          35       17.5        8\n  12   Mobile Devices                    MA       283      $       125   $ 35,375.00                  35                  8      0 8        140          56        28         8\n  13   ARSS                              MA       244      $       125   $ 30,500.00                  21                  8      0 4        140          42        21         8\n       Total hours                              4907.8                                              275.8                104 44 117 2940                882       441        104\n       Bill Rate                               $ 125.00\n       Total Cost                              $ 613,475\n\n\n\n\n                                                                                                                                                                               15\n\x0c                                                   Small Contract Firm Costs\nPriority Controls Only\n\n\n                                                 Total         Billing                   Complete inv. boundary, assess                                Controls              Develop\n  #                        System       Type     Hours         Rate           Cost        risks, & identify connections FIPS-199 eAuth PIA SSP & ISCP Assessment Remediation SAR\n  1    Comprizon                         MA        190     $         125   $ 23,750.00                   4                  8      2 8        100          40        20         8\n  2    Enterprise Content Management     MA        232     $         125   $ 29,000.00                   4                  8      2 10       125          50        25         8\n  3    Case Management                   MA      388.5     $         125   $ 48,562.50                  15                  8      8 12       225          75       37.5        8\n  4    LAN                              GSS        530     $         125   $ 66,250.00                  40                  8      8 16       300         100        50         8\n  5    Electronic Distribution System    MA        359     $         125   $ 44,875.00                  10                  8      8 10       225          60        30         8\n  6    Disclosure                        MA      431.5     $         125   $ 53,937.50                  30                  8      8 15       250          75       37.5        8\n  7    Presidential Matching Funds       MA        248     $         125   $ 31,000.00                  10                  8      4 8        150          40        20         8\n  8    PCs                               MA        260     $         125   $ 32,500.00                  16                  8      0 8        175          30        15         8\n  9    WebTA                             MA      161.5     $         125   $ 20,187.50                   4                  8      0 4        100          25       12.5        8\n  10   Mobile Iron                      GSS        244     $         125   $ 30,500.00                   8                  8      4 6        150          40        20         8\n  11   Wireless network                  MA      177.5     $         125   $ 22,187.50                  16                  8      0 8        100          25       12.5        8\n  12   Mobile Devices                    MA        209     $         125   $ 26,125.00                  25                  8      0 8        100          40        20         8\n  13   ARSS                              MA        180     $         125   $ 22,500.00                  15                  8      0 4        100          30        15         8\n       Total hours                                3611                                                 197                 104    44 117 2100             630       315        104\n       Bill Rate                               $ 125.00\n       Total Cost                              $ 451,375\n\n\n\n\n                                                                                                                                                                                 16\n\x0c                                                                           Medium Contract Firm Costs\nAll Moderate controls\n\n                                                Total          Billing                    Complete inv. boundary, assess                                    Controls              Develop\n  #                 System            Type     Hours           Rate            Cost        risks, & identify connections FIPS-199 eAuth   PIA   SSP & ISCP Assessment Remediation SAR\n  1    Comprizon                       MA       541.2      $         115   $ 62,238.00                  11.2                 8      2      8       280         112       112         8\n  2    Enterprise Content Management MA         669.2      $         115   $ 76,958.00                  11.2                 8      2      10      350         140       140         8\n  3    Case Management                 MA        988       $         115   $ 113,620.00                  42                  8      8      12      490         210       210         8\n  4    LAN                            GSS       1132       $         115   $ 130,180.00                 112                  8      8      16      560         210       210         8\n  5    Electronic Distribution System  MA       1028       $         115   $ 118,220.00                  28                  8      8      10      630         168       168         8\n  6    Disclosure                      MA       1068       $         115   $ 122,820.00                  84                  8      8      15      560         210       175         8\n  7    Presidential Matching Funds     MA        630       $         115   $ 72,450.00                   28                  8      4      8       350         112       112         8\n  8    PCs                             MA       691.8      $         115   $ 79,557.00                  44.8                 8      0      8       455          84        84         8\n  9    WebTA                           MA       451.2      $         115   $ 51,888.00                  11.2                 8      0      4       280          70        70         8\n  10   Mobile Iron                    GSS       622.4      $         115   $ 71,576.00                  22.4                 8      4      6       350         112       112         8\n  11   Wireless network                MA       453.8      $         115   $ 52,187.00                  44.8                 8      0      8       245          70        70         8\n  12   Mobile Devices                  MA        563       $         115   $ 64,745.00                   70                  8      0      8       245         112       112         8\n  13   ARSS                            MA        475       $         115   $ 54,625.00                   42                  8      0      4       245          84        84         8\n       Total hours                             9313.6                                                  551.6                104    44     117      5040       1694       1659       104\n       Bill Rate                             $ 115.00\n       Total Cost                            $ 1,071,064\n\n\n\n\n                                                                                                                                                                                      17\n\x0c                                                                      Medium Contract Firm Costs\nPriority controls only\n\n\n                                            Total         Billing                     Complete inv. boundary, assess                                Controls              Develop\n  #              System               Type Hours          Rate             Cost        risks, & identify connections FIPS-199 eAuth PIA SSP & ISCP Assessment Remediation SAR\n  1    Comprizon                       MA    416      $         115   $   47,840.00                   8                 16      4 16       200          80        80        12\n  2    Enterprise Content Management MA      510      $         115   $   58,650.00                   8                 16      4 20       250         100       100        12\n  3    Case Management                 MA    748      $         115   $   86,020.00                  30                 16     16 24       350         150       150        12\n  4    LAN                            GSS    856      $         115   $   98,440.00                  80                 16     16 32       400         150       150        12\n  5    Electronic Distribution System  MA    774      $         115   $   89,010.00                  20                 16     16 20       450         120       120        12\n  6    Disclosure                      MA    809      $         115   $   93,035.00                  60                 16     16 30       400         150       125        12\n  7    Presidential Matching Funds     MA    482      $         115   $   55,430.00                  20                 16      8 16       250          80        80        12\n  8    PCs                             MA    521      $         115   $   59,915.00                  32                 16      0 16       325          60        60        12\n  9    WebTA                           MA    344      $         115   $   39,560.00                   8                 16      0 8        200          50        50        12\n  10   Mobile Iron                    GSS    474      $         115   $   54,510.00                  16                 16      8 12       250          80        80        12\n  11   Wireless network                MA    351      $         115   $   40,365.00                  32                 16      0 16       175          50        50        12\n  12   Mobile Devices                  MA    429      $         115   $   49,335.00                  50                 16      0 16       175          80        80        12\n  13   ARSS                            MA    361      $         115   $   41,515.00                  30                 16      0 8        175          60        60        12\n       Total hours                          7075                                                    394                 208    88 234 3600            1210       1185       156\n       Bill Rate                          $ 115.00\n       Total Cost                         $ 813,625\n\n\n\n\n                                                                                                                                                                              18\n\x0c                                                                             Large Contract Firm Costs\nAll Moderate controls\n\n\n                                                  Total          Billing                    Complete inv. boundary, assess                                  Controls              Develop\n  #                System               Type      Hours          Rate            Cost        risks, & identify connections   FIPS-199 eAuth PIA SSP & ISCP Assessment Remediation SAR\n  1    Comprizon                         MA       541.2      $         125   $ 67,650.00                  11.2                   8      2    8     280         112       112         8\n  2    Enterprise Content Management     MA       669.2      $         125   $ 83,650.00                  11.2                   8      2 10       350         140       140         8\n  3    Case Management                   MA        1128      $         125   $ 141,000.00                  42                    8      8 12       630         210       210         8\n  4    LAN                              GSS        1552      $         125   $ 194,000.00                 112                    8      8 16       840         280       280         8\n  5    Electronic Distribution System    MA        1028      $         125   $ 128,500.00                  28                    8      8 10       630         168       168         8\n  6    Disclosure                        MA        1243      $         125   $ 155,375.00                  84                    8      8 15       700         210       210         8\n  7    Presidential Matching Funds       MA         700      $         125   $ 87,500.00                   28                    8      4    8     420         112       112         8\n  8    PCs                               MA       726.8      $         125   $ 90,850.00                  44.8                   8      0    8     490          84        84         8\n  9    WebTA                             MA       451.2      $         125   $ 56,400.00                  11.2                   8      0    4     280          70        70         8\n  10   Mobile Iron                      GSS       692.4      $         125   $ 86,550.00                  22.4                   8      4    6     420         112       112         8\n  11   Wireless network                  MA       488.8      $         125   $ 61,100.00                  44.8                   8      0    8     280          70        70         8\n  12   Mobile Devices                    MA         598      $         125   $ 74,750.00                   70                    8      0    8     280         112       112         8\n  13   ARSS                              MA         510      $         125   $ 63,750.00                   42                    8      0    4     280          84        84         8\n       Total hours                               10328.6                                                 551.6                  104    44 117      5880       1764       1764       104\n       Bill Rate                               $ 125.00\n       Total Cost                              $ 1,291,075\n\n\n\n\n                                                                                                                                                                                      19\n\x0c                                                                           Large Contract Firm Costs\nPriority controls only\n\n\n                                                 Total         Billing                    Complete inv. boundary, assess                                Controls              Develop\n  #                System               Type     Hours         Rate            Cost        risks, & identify connections FIPS-199 eAuth PIA SSP & ISCP Assessment Remediation SAR\n  1    Comprizon                         MA        420     $         125   $ 52,500.00                    8                 16      4 16       200          80        80        16\n  2    Enterprise Content Management     MA        514     $         125   $ 64,250.00                    8                 16      4 20       250         100       100        16\n  3    Case Management                   MA        852     $         125   $ 106,500.00                  30                 16     16 24       450         150       150        16\n  4    LAN                              GSS       1160     $         125   $ 145,000.00                  80                 16     16 32       600         200       200        16\n  5    Electronic Distribution System    MA        778     $         125   $ 97,250.00                   20                 16     16 20       450         120       120        16\n  6    Disclosure                        MA        938     $         125   $ 117,250.00                  60                 16     16 30       500         150       150        16\n  7    Presidential Matching Funds       MA        536     $         125   $ 67,000.00                   20                 16      8 16       300          80        80        16\n  8    PCs                               MA        550     $         125   $ 68,750.00                   32                 16      0 16       350          60        60        16\n  9    WebTA                             MA        348     $         125   $ 43,500.00                    8                 16      0    8     200          50        50        16\n  10   Mobile Iron                      GSS        528     $         125   $ 66,000.00                   16                 16      8 12       300          80        80        16\n  11   Wireless network                  MA        380     $         125   $ 47,500.00                   32                 16      0 16       200          50        50        16\n  12   Mobile Devices                    MA        458     $         125   $ 57,250.00                   50                 16      0 16       200          80        80        16\n  13   ARSS                              MA        390     $         125   $ 48,750.00                   30                 16      0    8     200          60        60        16\n       Total hours                                7852                                                  394                 208    88 234      4200       1260       1260       208\n       Bill Rate                               $ 125.00\n       Total Cost                              $ 981,500\n\n\n\n\n                                                                                                                                                                                  20\n\x0cSummary Cost Analysis Estimate\n\n              Contract Firm         All Moderate            Priority Controls\n                    Size               Controls                    only\n              Small               $ 613,475               $       451,375\n              Medium              $ 1,071,064             $       813,625\n              Large               $ 1,291,075             $       981,500\n\nFEC IT Management On-going Responsibilities for NIST IT Controls\n\nAfter the tasks described in the tables above are completed, FEC would need to develop a\ncontinuous monitoring program that will assess IT controls on an annual basis (Controls\nAssessment) that ensures all controls are reviewed over a three year cycle (NIST 800-37\nRevision 1, page 36). Any deficiencies would need to be documented (Plan Of Action &\nMilestone, see page 30) and remediated according to the agency\xe2\x80\x99s established policy. Those\nidentified deficiencies should also be categorized as Low, Moderate, or High and remediated in a\ntimely manner commensurate with the risk posed by the respective deficiencies. Developing the\nrespective NIST documentation such as the SSP, ISCP, etc. will only need to be completed in its\nentirety for the existing FEC systems, as well as if the agency implements a new system, or\nchanges have been made to an existing system, which could change the risk categorization and\napplicable controls for that particular system. For those systems undergoing significant changes,\nthe documents would only need to be updated for those controls that were affected by the\nchanges.\n\n\n\n\n                                                                                              21\n\x0c      APPENDIX A \xe2\x80\x93 PRIORITY IT CONTROL SELECTIONS\n\nBased on the FEC\xe2\x80\x99s systems categorization level, the analysis is assessed only at the Moderate\nbaseline and then the priority controls are selected from there. As such, the following tables\nshow all controls at the Moderate baseline and then the High Priority control selections (noted by\na \xe2\x80\x981\xe2\x80\x99 under the High Priority column) by family. The \xe2\x80\x9cModerate Baseline\xe2\x80\x9d column includes both\nnumbers and numbers in parenthesis. The number without the parenthesis represents the control,\nwhereas the number inside parenthesis represents control enhancements. For example, AC-2 (1)\n(2) (3) (4) means that control AC-2 has four control enhancements.\n\nNote: For any of the tables below, the \xe2\x80\x9cControl #\xe2\x80\x9d column may appear to be missing numbers\n(e.g. 14 and then 17 within the Access Controls table). This is due to NIST controls being retired\nand NIST maintaining the original numbers so those controls that are retired are simply not\nincluded.\n\nAccess Control family\n                                     Control                                                                      Moderate               High\n  #                Family               #                                Control                                   Baseline             Priority\n  1             Access Control          1      Access Control Policy and Procedures                                  AC-1                  1\n  2             Access Control          2      Account Management                                             AC-2 (1) (2) (3) (4)         1\n  3             Access Control          3      Access Enforcement                                                    AC-3\n  4             Access Control          4      Information Flow Enforcement                                          AC-4\n  5             Access Control          5      Separation of Duties                                                  AC-5                  1\n  6             Access Control          6      Least Privilege                                              AC-6 (1) (2) (5) (9) (10)\n  7             Access Control          7      Unsuccessful Logon Attempts                                           AC-7                  1\n  8             Access Control          8      System Use Notification                                               AC-8\n  9             Access Control         11      Session Lock                                                       AC-11 (1)                1\n 10             Access Control         12      Session Termination                                                  AC-12\n 11             Access Control         14      Permitted Actions without Identification or Authentication           AC-14                  1\n 12             Access Control         17      Remote Access                                                 AC-17 (1) (2) (3) (4)         1\n 13             Access Control         18      Wireless Access                                                    AC-18 (1)                1\n 14             Access Control         19      Access Control for Mobile Devices                                  AC-19 (5)                1\n 15             Access Control         20      Use of External Information Systems                              AC-20 (1) (2)\n 16             Access Control         21      Information Sharing                                                  AC-21\n 17             Access Control         22      Publicly Accessible Content                                          AC-22\n                                                                                                                     Total                 9\n\n\nAwareness and Training family\n                                     Control                                                                       Moderate              High\n  #                Family              #                           Control                                         Baseline             Priority\n  1         Awareness and Training     1 Security Awareness and Training Policy and Procedures                       AT-1                  1\n  2         Awareness and Training     2 Security Awareness Training                                               AT-2 (2)                1\n  3         Awareness and Training     3 Role-Based Security Training                                                AT-3                  1\n  4         Awareness and Training     4 Security Training Records                                                   AT-4                  1\n                                                                                                                    Total                  4\n\nNote: The FEC has already implemented this family\xe2\x80\x99s control requirements and this has already\nbeen reflected in the cost estimates.\n\n                                                                                                                                               22\n\x0cAudit and Accountability family\n                                               Control                                                           Moderate         High\n  #                   Family                      #                                Control                       Baseline        Priority\n  1           Audit and Accountability            1      Audit and Accountability Policy and Procedures            AU-1             1\n  2           Audit and Accountability            2      Auditable Events                                        AU-2 (3)           1\n  3           Audit and Accountability            3      Content of Audit Records                                AU-3 (1)\n  4           Audit and Accountability            4      Audit Storage Capacity                                    AU-4             1\n  5           Audit and Accountability            5      Response to Audit Processing Failures                     AU-5\n  6           Audit and Accountability            6      Audit Review, Analysis, and Reporting                  AU-6 (1) (3)        1\n  7           Audit and Accountability            7      Audit Reduction and Report Generation                   AU-7 (1)\n  8           Audit and Accountability            8      Time Stamps                                             AU-8 (1)\n  9           Audit and Accountability            9      Protection of Audit Information                         AU-9 (4)           1\n 10           Audit and Accountability           11      Audit Record Retention                                   AU-11\n 11           Audit and Accountability           12      Audit Generation                                         AU-12\n                                                                                                                  Total             5\n\n\nSecurity Assessment and Authorization family\n\n                                               Control                                                           Moderate         High\n  #                   Family                     #                                 Control                       Baseline        Priority\n                                                         Security Assessment and Authorization Policies and\n                                                                                                                   CA-1\n  1    Security Assessment and Authorization      1      Procedures                                                                 1\n  2    Security Assessment and Authorization      2      Security Assessments                                    CA-2 (1)           1\n  3    Security Assessment and Authorization      3      System Interconnections                                 CA-3 (5)           1\n  4    Security Assessment and Authorization      5      Plan of Action and Milestones                            CA-5              1\n  5    Security Assessment and Authorization      6      Security Authorization                                   CA-6              1\n  6    Security Assessment and Authorization      7      Continuous Monitoring                                   CA-7 (1)           1\n  7    Security Assessment and Authorization      9      Internal System Connections                              CA-9\n                                                                                                                  Total             6\n\nConfiguration Management family\n                                               Control                                                          Moderate          High\n  #                   Family                      #                             Control                         Baseline         Priority\n  1         Configuration Management              1    Configuration Management Policy and Procedures             CM-1              1\n  2         Configuration Management              2    Baseline Configuration                                 CM-2 (1) (3) (7)      1\n  3         Configuration Management              3    Configuration Change Control                             CM-3 (2)            1\n  4         Configuration Management              4    Security Impact Analysis                                   CM-4              1\n  5         Configuration Management              5    Access Restrictions for Change                             CM-5              1\n  6         Configuration Management              6    Configuration Settings                                     CM-6              1\n  7         Configuration Management              7    Least Functionality                                    CM-7 (1) (2) (4)\n  8         Configuration Management              8    Information System Component Inventory                 CM-8 (1) (3) (5)      1\n  9         Configuration Management              9    Configuration Management Plan                              CM-9              1\n 10         Configuration Management             10 Software Usage Restrictions                                  CM-10\n 11         Configuration Management             11 User-Installed Software                                      CM-11\n                                                                                                                  Total             8\n\n\n\n\n                                                                                                                                        23\n\x0cContingency Planning family\n                                             Control                                                                          Moderate                  High\n  #                  Family                     #                                Control                                      Baseline                 Priority\n  1           Contingency Planning              1      Contingency Planning Policy and Procedures                               CP-1                      1\n  2           Contingency Planning              2      Contingency Plan                                                     CP-2 (1) (3) (8)              1\n  3           Contingency Planning              3      Contingency Training                                                     CP-3\n  4           Contingency Planning              4      Contingency Plan Testing                                                CP-4 (1)                   1\n  5           Contingency Planning              6      Alternate Storage Site                                                CP-6 (1) (3)                 1\n  6           Contingency Planning              7      Alternate Processing Site                                            CP-7 (1) (2) (3)\n  7           Contingency Planning              8      Telecommunications Services                                           CP-8 (1) (2)\n  8           Contingency Planning              9      Information System Backup                                               CP-9 (1)\n  9           Contingency Planning             10      Information System Recovery and Reconstitution                         CP-10 (2)                   1\n                                                                                                                                Total                     5\n\n\nIdentification and Authentication family\n                                             Control                                                                           Moderate                 High\n  #                    Family                  #                            Control                                            Baseline                Priority\n  1      Identification and Authentication     1 Identification and Authentication Policy and Procedures                         IA-1                     1\n                                                       Identification and Authentication (Organizational Users)       IA-2 (1) (2) (3) (8) (11) (12)\n  2      Identification and Authentication      2                                                                                                         1\n  3      Identification and Authentication      3      Device Identification and Authentication                                   IA-3\n  4      Identification and Authentication      4      Identifier Management                                                      IA-4                    1\n  5      Identification and Authentication      5      Authenticator Management                                           IA-5 (1) (2) (3) (11)           1\n  6      Identification and Authentication      6      Authenticator Feedback                                                     IA-6\n  7      Identification and Authentication      7      Cryptographic Module Authentication                                        IA-7                    1\n                                                       Identification and Authentication (Non-Organizational Users)        IA-8 (1) (2) (3) (4)\n  8      Identification and Authentication      8\n                                                                                                                                  Total                   5\n\n\nNote: The FEC has already implemented some of this family\xe2\x80\x99s control requirements such as\nrequiring dual factor authentication (passphrase and PIV badge with unique PIN) for accessing\nthe agency\xe2\x80\x99s network. . Although there have been some control requirements addressed, this has\nnot been assessed (tested), so these controls may or may not meet the NIST standards.\n\nIncident Response family\n                                             Control                                                                           Moderate                 High\n  #                  Family                    #                          Control                                              Baseline                Priority\n  1            Incident Response               1 Incident Response Policy and Procedures                                          IR-1                    1\n  2            Incident Response               2 Incident Response Training                                                       IR-2                    1\n  3            Incident Response               3 Incident Response Testing                                                      IR-3 (2)\n  4            Incident Response               4 Incident Handling                                                              IR-4 (1)\n  5            Incident Response               5 Incident Monitoring                                                              IR-5\n  6            Incident Response               6 Incident Reporting                                                             IR-6 (1)                  1\n  7            Incident Response               7 Incident Response Assistance                                                   IR-7 (1)\n  8            Incident Response               8 Incident Response Plan                                                           IR-8                    1\n                                                                                                                                 Total                    4\n\n\n\n\n                                                                                                                                                              24\n\x0cMaintenance family\n\n                                               Control                                                       Moderate       High\n  #                  Family                      #                         Control                           Baseline      Priority\n  1                Maintenance                   1 System Maintenance Policy and Procedures                   MA-1            1\n  2                Maintenance                   2 Controlled Maintenance                                     MA-2            1\n  3                Maintenance                   3 Maintenance Tools                                        MA-3 (1) (2)\n  4                Maintenance                   4 Nonlocal Maintenance                                      MA-4 (2)\n  5                Maintenance                   5 Maintenance Personnel                                      MA-5\n  6                Maintenance                   6 Timely Maintenance                                         MA-6\n                                                                                                              Total           2\n\nMedia Protection family\n\n                                               Control                                                       Moderate       High\n  #                  Family                      #                          Control                          Baseline      Priority\n  1              Media Protection                1 Media Protection Policy and Procedures                     MP-1            1\n  2              Media Protection                2 Media Access                                               MP-2\n  3              Media Protection                3 Media Marking                                              MP-3\n  4              Media Protection                4 Media Storage                                              MP-4\n  5              Media Protection                5 Media Transport                                           MP-5 (4)\n  6              Media Protection                6 Media Sanitization                                         MP-6            1\n  7              Media Protection                7 Media Use                                                 MP-7 (1)\n                                                                                                              Total           2\n\nPhysical and Environmental Protection family\n                                               Control                                                       Moderate       High\n  #                   Family                     #                                Control                    Baseline      Priority\n                                                         Physical and Environmental Protection Policy and\n                                                                                                               PE-1\n  1    Physical and Environmental Protection      1      Procedures                                                           1\n  2    Physical and Environmental Protection      2      Physical Access Authorizations                        PE-2           1\n  3    Physical and Environmental Protection      3      Physical Access Control                               PE-3           1\n  4    Physical and Environmental Protection      4      Access Control for Transmission Medium                PE-4\n  5    Physical and Environmental Protection      5      Access Control for Output Devices                     PE-5\n  6    Physical and Environmental Protection      6      Monitoring Physical Access                          PE-6 (1)         1\n  7    Physical and Environmental Protection      8      Visitor Access Records                                PE-8           1\n  8    Physical and Environmental Protection      9      Power Equipment and Cabling                           PE-9\n  9    Physical and Environmental Protection     10      Emergency Shutoff                                    PE-10           1\n 10    Physical and Environmental Protection     11      Emergency Power                                      PE-11           1\n 11    Physical and Environmental Protection     12      Emergency Lighting                                   PE-12           1\n 12    Physical and Environmental Protection     13      Fire Protection                                     PE-13 (3)        1\n 13    Physical and Environmental Protection     14      Temperature and Humidity Controls                    PE-14           1\n 14    Physical and Environmental Protection     15      Water Damage Protection                              PE-15           1\n 15    Physical and Environmental Protection     16      Delivery and Removal                                 PE-16\n 16    Physical and Environmental Protection     17      Alternate Work Site                                  PE-17           1\n                                                                                                              Total          12\n\n\n\n\n                                                                                                                                  25\n\x0cPlanning family\n\n                                          Control                                                           Moderate            High\n  #                Family                   #                           Control                             Baseline           Priority\n  1                Planning                 1 Security Planning Policy and Procedures                         PL-1                1\n  2                Planning                 2 System Security Plan                                          PL-2 (3)              1\n  3                Planning                 4 Rules of Behavior                                             PL-4 (1)              1\n  4                Planning                 8 Information Security Architecture                               PL-8\n                                                                                                             Total                3\n\nPersonnel Security family\n                                          Control                                                           Moderate            High\n  #                Family                   #                           Control                             Baseline           Priority\n  1           Personnel Security            1 Personnel Security Policy and Procedures                       PS-1                 1\n  2           Personnel Security            2 Position Risk Designation                                      PS-2\n  3           Personnel Security            3 Personnel Screening                                            PS-3                 1\n  4           Personnel Security            4 Personnel Termination                                          PS-4                 1\n  5           Personnel Security            5 Personnel Transfer                                             PS-5\n  6           Personnel Security            6 Access Agreements                                              PS-6\n  7           Personnel Security            7 Third-Party Personnel Security                                 PS-7\n  8           Personnel Security            8 Personnel Sanctions                                            PS-8\n                                                                                                             Total                3\n\nRisk Assessment family\n\n                                          Control                                                          Moderate             High\n  #                 Family                  #                         Control                              Baseline            Priority\n  1            Risk Assessment              1 Risk Assessment Policy and Procedures                          RA-1                 1\n  2            Risk Assessment              2 Security Categorization                                        RA-2                 1\n  3            Risk Assessment              3 Risk Assessment                                                RA-3                 1\n  4            Risk Assessment              5 Vulnerability Scanning                                     RA-5 (1) (2) (5)         1\n                                                                                                             Total                4\n\nSystem and Services Acquisition family\n                                          Control                                                          Moderate             High\n  #                Family                    #                           Control                            Baseline           Priority\n  1     System and Services Acquisition      1 System and Services Acquisition Policy and Procedures          SA-1                1\n  2     System and Services Acquisition      2 Allocation of Resources                                        SA-2\n  3     System and Services Acquisition      3 System Development Life Cycle                                  SA-3                1\n  4     System and Services Acquisition      4 Acquisition Process                                     SA-4 (1) (2) (9) (10)\n  5     System and Services Acquisition      5 Information System Documentation                               SA-5\n  6     System and Services Acquisition      8 Security Engineering Principles                                SA-8\n  7     System and Services Acquisition      9 External Information System Services                         SA-9 (2)\n  8     System and Services Acquisition     10 Developer Configuration Management                            SA-10                1\n  9     System and Services Acquisition     11 Developer Security Testing and Evaluation                     SA-11                1\n                                                                                                              Total               4\n\n\n\n\n                                                                                                                                      26\n\x0cSystem and Communications Protection family\n                                             Control                                                                   Moderate            High\n  #                  Family                    #                                 Control                               Baseline           Priority\n                                                       System and Communications Protection Policy and\n                                                                                                                          SC-1\n  1   System and Communications Protection      1      Procedures                                                                            1\n  2   System and Communications Protection      2      Application Partitioning                                          SC-2\n  3   System and Communications Protection      4      Information in Shared Resources                                   SC-4\n  4   System and Communications Protection      5      Denial of Service Protection                                      SC-5                1\n  5   System and Communications Protection      7      Boundary Protection                                         SC-7 (3) (4) (5) (7)      1\n  6   System and Communications Protection      8      Transmission Confidentiality and Integrity                      SC-8 (1)              1\n  7   System and Communications Protection     10      Network Disconnect                                                SC-10\n  8   System and Communications Protection     12      Cryptographic Key Establishment and Management                    SC-12\n  9   System and Communications Protection     13      Cryptographic Protection                                          SC-13               1\n 10   System and Communications Protection     15      Collaborative Computing Devices                                   SC-15\n 11   System and Communications Protection     17      Public Key Infrastructure Certificates                            SC-17\n 12   System and Communications Protection     18      Mobile Code                                                       SC-18               1\n 13   System and Communications Protection     19      Voice Over Internet Protocol                                      SC-19\n                                                       Secure Name /Address Resolution Service (Authoritative\n                                                                                                                         SC-20\n 14   System and Communications Protection     20      Source)\n                                                       Secure Name /Address Resolution Service (Recursive or\n                                                                                                                         SC-21\n 15   System and Communications Protection     21      Caching Resolver)\n                                                       Architecture and Provisioning for Name/Address Resolution\n                                                                                                                         SC-22\n 16   System and Communications Protection     22      Service\n 17   System and Communications Protection     23      Session Authenticity                                              SC-23\n 18   System and Communications Protection     28      Protection of Information at Rest                                 SC-28\n 19   System and Communications Protection     39      Process Isolation                                                 SC-39\n                                                                                                                         Total               6\n\n\nSystem and Information Integrity family\n                                             Control                                                                   Moderate            High\n  #                 Family                      #                            Control                                    Baseline          Priority\n  1      System and Information Integrity       1 System and Information Integrity Policy and Procedures                   SI-1              1\n  2      System and Information Integrity       2 Flaw Remediation                                                      SI-2 (2)\n  3      System and Information Integrity       3 Malicious Code Protection                                           SI-3 (1) (2)           1\n  4      System and Information Integrity       4 Information System Monitoring                                      SI-4 (2) (4) (5)\n  5      System and Information Integrity       5 Security Alerts, Advisories, and Directives                              SI-5              1\n  6      System and Information Integrity       7 Software, Firmware, and Information Integrity                       SI-7 (1) (7)\n  7      System and Information Integrity       8 Spam Protection                                                     SI-8 (1) (2)           1\n  8      System and Information Integrity      10 Information Input Validation                                            SI-10\n  9      System and Information Integrity      11 Error Handling                                                          SI-11\n 10      System and Information Integrity      12 Information Handling and Retention                                      SI-12              1\n 11      System and Information Integrity      16 Memory Protection                                                       SI-16\n                                                                                                                          Total              5\n\n\n\n\n                                                                                                                                                 27\n\x0cProgram Management family\n                                Control                                                                 Moderate    High\n  #              Family            #                                  Control                           Baseline   Priority\n  1        Program Management      1      Information Security Program Plan                                all        1\n  2        Program Management      2      Senior Information Security Officer                              all        1\n  3        Program Management      3      Information Security Resources                                   all        1\n  4        Program Management      4      Plan of Action and Milestones Process                            all        1\n  5        Program Management      5      Information System Inventory                                     all        1\n  6        Program Management      6      Information Security Measures of Performance                     all\n  7        Program Management      7      Enterprise Architecture                                          all        1\n  8        Program Management      8      Critical Infrastructure Plan                                     all        1\n  9        Program Management      9      Risk Management Strategy                                         all\n 10        Program Management     10      Security Authorization Process                                   all        1\n 11        Program Management     11      Mission/Business Process Definition                              all\n 12        Program Management     12      Insider Threat Program                                           all\n 13        Program Management     13      Information Security Workforce                                   all\n 14        Program Management     14      Testing, Training, and Monitoring                                all        1\n 15        Program Management     15      Contacts with Security Groups and Associations                   all\n 16        Program Management     16      Threat Awareness Program                                         all        1\n                                                                                                         Total       10\n\n\nPrivacy family\n                                Control                                                                 Moderate    High\n  #              Family           #                                Control                              Baseline   Priority\n  1              Privacy          1       Authority to Collect                                             all        1\n  2              Privacy          2       Purpose Specification                                            all        1\n  3              Privacy          3       Governance and Privacy Program                                   all        1\n  4              Privacy          4       Privacy Impact and Risk Assessment                               all        1\n                                          Privacy Requirements for Contractors and Service\n                                                                                                           all\n  5              Privacy           5      Providers                                                                   1\n  6              Privacy           6      Privacy Monitoring and Auditing                                 all         1\n  7              Privacy           7      Privacy Awareness and Training                                  all         1\n  8              Privacy           8      Privacy Reporting                                               all         1\n  9              Privacy           9      Privacy-Enhanced System Design and Development                  all\n 10              Privacy          10      Accounting of Disclosures                                       all         1\n 11              Privacy          11      Data Quality                                                    all         1\n 12              Privacy          12      Data Integrity and Data Integrity Board                         all         1\n 13              Privacy          13      Minimization of Personally Identifiable Information             all\n 14              Privacy          14      Data Retention and Disposal                                     all         1\n 15              Privacy          15      Minimization of PII Used in Testing, Training, and Research     all\n 16              Privacy          16      Consent                                                         all         1\n 17              Privacy          17      Individual Access                                               all         1\n 18              Privacy          18      Redress                                                         all\n 19              Privacy          19      Complaint Management                                            all         1\n 20              Privacy          20      Inventory of Personally Identifiable Information                all         1\n 21              Privacy          21      Privacy Incident Response                                       all         1\n 22              Privacy          22      Privacy Notice                                                  all         1\n 23              Privacy          23      System of Records Notices and Privacy Act Statements            all         1\n 24              Privacy          24      Dissemination of Privacy Program Information                    all         1\n 25              Privacy          25      Internal Use                                                    all         1\n 26              Privacy          26      Information Sharing with Third Parties                          all\n                                                                                                         Total       21\n\n\n\n\n                                                                                                                          28\n\x0c                  APPENDIX B \xe2\x80\x93 WHAT ARE POAMS?\n\nPlan of Action and Milestones (POA&Ms) are the result of identified deficiencies. After a\ndeficiency is identified, it needs to be remediated. In order for a deficiency to be remediated, it is\ngoing to require personnel, time, money, and other resources to resolve that deficiency. As\ndocumented earlier, POA&Ms may arise when complying with either FISMA, OMB A-123,\nFinancial Statement audits, etc. The OMB has issued formal guidance regarding POA&Ms in the\nform of M-01-02. The following is an excerpt:\n\nPOA&M is a tool that identifies tasks that need to be accomplished. It details resources\nrequired to accomplish the elements of the plan, any milestones in meeting the task, and\nscheduled completion dates for the milestones. [emphasis added]\n\nThe purpose of this POA&M is to assist agencies in identifying, assessing, prioritizing,\nand monitoring the progress of corrective efforts for security weaknesses found in\nprograms and systems. [emphasis added]\n\n\n\nWhat should the POA&Ms contain?\n\nPOA&Ms are utilized for resolving identified deficiencies. As this is a crucial task for\nremediation efforts, it is necessary to include specific items on each POA&M. The following\nshould be included for each POA&M:\n\n   \xef\x83\xbc Type of weakness\n         o This describes the deficiency to provide the reader with an explanation of why\n            this is a deficiency.\n   \xef\x83\xbc The office or agency responsible for resolving the deficiency.\n   \xef\x83\xbc Estimated funding resources required to resolve the deficiency.\n   \xef\x83\xbc Scheduled completion date.\n   \xef\x83\xbc Key milestones.\n   \xef\x83\xbc Source\n         o This essentially identifies where the deficiency came from (e.g. FISMA, A-123,\n            OIG, etc.).\n   \xef\x83\xbc Status\n         o An example if this would be ongoing or completed.\n\n\n\n\n                                                                                                   29\n\x0cWhy are POA&Ms so important?\n\nPOA&Ms are extremely important because they provide a road map for agencies to correct their\ndeficiencies taking into consideration time, cost and staff resources that will be required to correct the\ndeficiencies. Agencies must gather all of their deficiencies and group them by area (e.g. Access\nControls). The grouping or consolidating of those deficiencies may rise to the level of a\nsignificant deficiency or material weakness. For this reason, it is very important that all\ndeficiencies be associated with a POA&M, as it is crucial that the deficiencies be\nresolved/remediated.\n\nThe following is another excerpt from OMB M-02-01:\n\nAdditionally, the POA&Ms should either reflect consolidation with or be accompanied\nby other agency plans to correct security weaknesses found during any other review done\nby, for, or on behalf of the agency, including GAO audits, financial system audits, and\ncritical infrastructure vulnerability assessments.\n\n\n\nWhere do all the POA&Ms go?\n\nIn accordance with OMB M-02-01, all POA&Ms should be sent to OMB on a quarterly basis.\nFor this reason, it is imperative that each POA&M created contains the required information or\nelse the agency will not be in compliance with OMB requirements.\n\n\n\n\n                                                                                                       30\n\x0c                          APPENDIX C \xe2\x80\x93 WHAT IS FISMA\n\nThe Federal Information Security Management Act (FISMA) was enacted in 2002 as part of the\nE-Government Act 6 and requires each executive federal agency to develop, document, and\nimplement an agency-wide program to provide information security for the information and\ninformation systems that support the operations and assets of the agency (emphasis added),\nincluding those provided or managed by another agency, contractor, or other source. As\ndiscussed in the NIST section earlier, the SP documents are used by agencies to comply with\nFISMA. In complying with the SP NIST documents, one can be assured that the agency will\nhave in fact complied with the various attributes of the FISMA requirements and all other related\nlaws and regulations.\n\nTo comply with FISMA, management must provide for an agency-wide Security Assessment\nand Authorization (SA&A) program. The steps below derive from NIST SP 800-37, where an\nagency complies with FISMA by performing a SA&A program. The steps for completing an\nagency-wide SA&A program are as follows:\n\n                                       SA&A Compliance Steps\n\n                                  1.  Security Assessment & Authorization\n                                      (SA&A) Planning\n                                  2. Complete an Inventory analysis\n                                  3. Assess Risk and Criticality\n                                  4. Interconnected Systems Analysis\n                                  5. FIPS-199 Security Categorization\n                                  6. Develop SA&A Documents\n                                  7. Security Controls Assessment (SCA)\n                                  8. Security Assessment Report (SAR)\n                                      Development\n                                  9. Accreditation\n                                  10. Continuous Monitoring\n\n\nIn order to comply with FISMA, each agency must develop, document, and implement an\nagency-wide program to ensure security is appropriate for the systems (including other\ntechnologies such as applications, etc.) supporting the programs and mission of the agency.\nBelow are brief descriptions about the respective SA&A program steps.\n\n\n\n6\n  The E-Government Act states: \xe2\x80\x9cTo enhance the management and promotion of electronic Government services and\nprocesses \xe2\x80\xa6require using Internet-based information technology to enhance citizen access to Government\ninformation and services, and for other purposes.\xe2\x80\x9d Contained within this Act is FISMA under Title III of the\nGovernment Act.\n                                                                                                          31\n\x0cSA&A Planning\n\nThis step basically involves identifying and gathering the various personnel needed for this\nprocess. There are many areas of compliance with FISMA and this will need to involve all levels\nof management within the agency. For this reason, the planning of SA&A efforts will involve\nholding meetings to discuss the subsequent steps (listed below) and the level of effort required\nfor each member involved with FISMA.\n\nInventory Analysis\n\nThis step is usually very time intensive and complex, as this requires a full analysis of all\nhardware and software, as well as connections between those technologies. It involves compiling\na complete inventory of all hardware, software, systems, databases, applications, and any other\nequipment that is specific to the agency. Each of these must be accounted for in the SA&A\ninventory. Ideally, the end product should contain the following:\n\n      Hardware           This should include the specific version number, quantity, and\n                         type of hardware.\n\n      Software           This should include the version number, release, and quantity\n                         of software deployed on the hardware. This also includes a\n                         detailed description of the software (e.g. business purpose).\n\n      Location           This should include the physical location of the hardware.\n\n      IT Owner           This is the IT person that will ultimately sign off as the\n                         system having an acceptable level of risk to be deployed in\n                         production (e.g. Chief Information Officer).\n\n      Data Owner         This is the person who is responsible for approving access\n                         rights for other users.\n\n      Connections        This lists any connections the hardware has with other\n                         systems.\n\n      Categorization     Listed as either High, Moderate, or Low and also classifies\n                         the system as either a General Support System (GSS) or\n                         Major Application (MA).\n\n\n\n\n                                                                                             32\n\x0cNote: It was noted through interviews with IT management personnel that the agency is\ncurrently procuring contract services for analyzing all hardware and software to identify all\nelements of the agency inventory. It was also learned that the agency has specific plans to\ncomplete this inventory analysis within the next 6 to 8 months.\n\nAssess Risk and Criticality\n\nOnce the entire inventory is accounted for and documented, it is then necessary to categorize these\nsystems in terms of their risk and criticality. The SA&A process includes GSSs and MAs. GSSs are those\nsystems that support major applications. An example would be an accounting application that processes\npayroll, which resides on a Windows 2008 Server environment. In this instance, the GSS would be the\nWindows Server, and the accounting application would be the Major Application. There are also other\nclassifications such as Minor Application. An example of this would be a Microsoft Access database used\nto collect and gather data to input into the accounting application. In this instance, the database would be\nthe Minor Application and the accounting application would be the MA.\n\nThere are also those systems classified as FISMA non-reportable systems. These are the systems\nthat have no sensitive data, Personally Identifiable Information (PII), or any other data that is\ndeemed critical or important to the agency. The entire inventory needs to be assessed in terms of\nrisk to the overall mission of the agency and then categorized as such (e.g. GSS, MA, Minor\nApplication, etc.).\n\nInterconnected Systems Analysis\n\nOnce the inventory has been identified, it is then crucial to understand which systems interface\nand/or interconnect with other systems. The reason this becomes important is because if one\nsystem has one set of security posture expected, and yet interconnects with another system; then\nthe interconnecting systems must attain the same or greater security measures. This analysis also\nmust include identifying those connections with users that are external to the agency such a\nperson that is an employee of another agency or a member of the public (e.g. a person who is\nfiling their political contributions via the Electronic Distribution System). This also includes\nidentifying those systems that have a direct connection and yet those systems reside at another\nagency location.\n\nFIPS-199 Security Categorization\n\nThe Federal Information Processing Standards (FIPS) are documents written by the NIST. FIPS-\n199 is a document particularly concerned with security categorizations for GSSs and MAs. There\nare three categories in the FIPS-199 assessment. They are Low, Moderate, and High. This\nbecomes very important because depending on the security categorization (low, moderate, or\nhigh); the controls to be implemented will vary. For example, a system that is deemed to be Low,\nwill deploy one set of controls, whereas a High system will have to deploy another set of controls\n                                                                                                         33\n\x0cwhich are more comprehensive. Once the categorization has been completed, the set of controls\nmust be implemented via NIST 800-53, Revision 4, which has a standard set of controls broken\nout by security categorization.\n\nNote: Through interviews with IT management personnel, it was determined that all\nsystems residing at the agency would be categorized as Moderate. However, none of the\nsystems have had any documentation completed through a FIPS-199 security\ncategorization, therefore one or more of these systems may in fact have a different\ncategorization.\n\nDevelop SA&A Documents\n\nThere are several documents that constitute the SA&A package.\n\n\n\n                                 SA&A Package Documents\n\n                                 \xef\x83\xbc   Boundary Memo\n                                 \xef\x83\xbc   FIPS-199 Worksheet\n                                 \xef\x83\xbc   PIA\n                                 \xef\x83\xbc   SSP\n                                 \xef\x83\xbc   eAuthentication Assessment\n                                 \xef\x83\xbc   ISCP\n                                 \xef\x83\xbc   POA&M Listing\nThey are as follows:\n\n   \xef\x83\x98 Boundary Memo\n        o Used for determining the beginning and ending areas of scope for the system. All\n           hardware, software, databases, applications, and systems shall be documented in\n           the boundary memo. The memo should also list whether or not each item is in or\n           out of scope. For example, an application may have hardware listed in the\n           boundary table, but that hardware may be part of another SA&A package. This is\n           important so that all of the dependencies are identified.\n\n   \xef\x83\x98 FIPS-199 Security Categorization\n        o The completion of the FIPS-199 worksheet will result in the categorization of the\n           respective system. (High, Moderate, or Low)\n\n   \xef\x83\x98 Privacy Impact Assessment (PIA)\n         o The system must consider privacy concerns, as this affects the overall\n            categorization of the system as well. When performing a PIA, the PII elements\n            shall be identified. These elements should then be analyzed to ascertain if in\n            combination, they can be traced to a person. If one or more PII elements can be\n\n\n                                                                                          34\n\x0c              traced to a person, then this information has risen to the level of Information in\n              Identifiable Form (IIF).\n\n   \xef\x83\x98 System Security Plan (SSP)\n        o This is a listing of the various controls (for the system\xe2\x80\x99s categorization) and their\n           implementation status, as well as any reliance placed on another GSS or MA.\n   \xef\x83\x98 eAuthentication Assessment\n        o This assessment goes through a NIST exercise whereby the end result provides\n           for the type of identification that is acceptable for the given system. There are\n           three requirements that must be validated on each system. It must be determined if\n           the system is web-based, externally facing, and require authentication. If any\n           system meets all three criteria, then an eAuthentication Assessment must be\n           conducted in accordance with NIST SP 800-60 to identify the specific types of\n           authentication that will be required. For example, a system containing sensitive\n           data may require an ID + two factor authentication. An example of this is a User\n           ID, password, and an RSA token.\n\n   \xef\x83\x98 Information System Contingency Plan (ISCP)\n         o The various contingency procedures are contained within this document. The\n            ISCP also contains the Training, Test, and Exercise (TT&E), as well as the test\n            results of the ISCP. Additionally, the ISCP contains a list of those hardware and\n            software items that are deemed mission critical and also lists what should be\n            restored first, second, and so on. The ISCP lists the key personnel responsible for\n            restoring the data and managing the various contingency aspects of the system.\n\n   \xef\x83\x98 POA&M\n       o The POA&M contains a list of deficiencies, as well as the resources (e.g. people,\n         money, etc.) needed to remediate the deficiencies listed in the POA&M. The\n         POA&Ms also include a timeline for when the deficiencies will be corrected as\n         well. See Appendix B for further details.\n\n\nSecurity Controls Assessment\n\nOnce a system has been included in the inventory, as well as appropriately categorized in\naccordance with FIPS-199, and the other required documents (e.g. SSP, ISCP) are completed, it\nis then necessary to assess those controls documented in the SSP to verify if they are both\ndesigned and operating effectively. This test is commonly referred to as the SCA. The results of\nthe SCA are analyzed and compared against the original documentation (e.g. SSP). If any\nchanges or updates need to be made, then the documents are modified from the SCA results. It is\nduring the SCA where control weaknesses arise (e.g. deficiencies), and where the POA&M must\nbe created to remediate and resolve the identified deficiency.\n\n\n                                                                                             35\n\x0cSAR Development\n\nThe SAR is the report used to document the various deficiencies contained within a system,\nincluding their remediation status. If for example, a system had 10 deficiencies, of which 5 had\nbeen remediated and the other 5 remained; the SAR would assess the remaining residual risk and\npropose a recommendation to the Accrediting Official (AO) (i.e. Chief Information Officer)\nregarding whether or not the system should be placed in a live environment (e.g. production).\n\nAccreditation\n\nThe SAR is presented to the Accrediting Official (AO) for accreditation decision. It is at this\npoint that the AO makes the decision regarding an Authority to Operate (ATO) or an Interim\nAuthority to Operate (IATO). The AO can decide that the IATO is for 3, 6, 9, or 12 months.\nWhen a system has an IATO, there are usually stipulations that the deficiencies noted must be\nremediated within a prescribed time or else the system will resort back to not being authorized.\nThis is very important, as if there is a system with open deficiencies and an IATO; then the\nPOA&M must be aggressive in ensuring remediation over those deficiencies.\n\nContinuous Monitoring\n\nOnce a system has undergone a SA&A, it is essential to continuously monitor that system for\nsecurity posture. As there are always changes such as personnel, system changes, releases,\nupgrades, patches, reassignment of priorities, etc. it is imperative that the system be recalibrated\nto ensure that the security posture is still intact. That is the essential function of this phase of the\nSA&A process.\n\n\n\n\n                                                                                                      36\n\x0c        APPENDIX D \xe2\x80\x93 ACRONYM LISTING\n\nAO      Accrediting Official\n\nATO     Authority to Operate\n\nCPIC    Capital Planning and Investment Control Process\n\nDNS     Domain Name System\n\nFEC     Federal Election Commission\n\nFIPS    Federal Information Processing Standards\n\nFISMA   Federal Information Security Management Act\n\nGSS     General Support System\n\nHIPAA   Health Insurance Portability and Accountability Act\n\nIATO    Interim Authority to Operate\n\nICS     Industrial Control Systems\n\nIDPS    Intrusion Detection and Prevention Systems\n\nIIF     Information in Identifiable Form\n\nISCP    Information System Contingency Plan\n\nIT      Information Technology\n\nITD     Information Technology Department\n\nMA      Major Application\n\nMOVS    Modes of Operation Validation System\n\nNIST    National Institute of Standards and Technology\n\nOCC     Organization Common Controls\n\nOIG     Office of Inspector General\n\n\n                                                              37\n\x0cOMB     Office of Management and Budget\n\nPACS    Physical Access Control Systems\n\nPAR     Performance and Accountability Report\n\nPIA     Privacy Impact Assessment\n\nPII     Personally Identifiable Information\n\nPIV     Personal Identity Verification\n\nPOA&M   Plan of Actions and Milestones\n\nRFID    Radio Frequency Identification\n\nRoB     Rules of Behavior\n\nSA&A    Security Assessment and Authorization\n\nSAR     Security Assessment Report\n\nSCA     Security Controls Assessment\n\nSCAP    Security Content Automation Protocol\n\nSP      Special Publications\n\nSSP     System Security Plan\n\nTDEA    Triple Data Encryption Algorithm\n\nTLS     Transport Layer Security\n\nTMOVS   Modes of Operation Validation System\n\nTT&E    Training, Test, and Exercise\n\n\n\n\n                                                38\n\x0c                            APPENDIX E - RESOURCES\n\n                 Resource                                 Location\n\nNIST Special Publications              http://csrc.nist.gov/publications/PubsSPs.html\n\nNIST home page                         www.nist.gov\n\nUS-CERT                                http://www.us-cert.gov/\n\nNIST-FISMA                             http://csrc.nist.gov/groups/SMA/fisma/\n\n\n\n\n                                                                                    39\n\x0c      APPENDIX F - ABOUT YOUR INTERNAL CONTROLS\n\nYour Internal Controls, LLC is headquartered in North Potomac, Maryland. Your Internal\nControls, LLC is a small business and has been servicing clients since 2003. We provide internal\ncontrols support. Our service offerings are as follows:\n\n   \xef\x83\x98 FISMA\n\n   \xef\x83\x98 SA&A package development (BSM, SSP, ITCP, etc.)\n\n   \xef\x83\x98 Security Controls Assessments and Remediation\n\n   \xef\x83\x98 Privacy audits\n\n   \xef\x83\x98 FISCAM General & Application Controls Reviews (IT audits in support of financial\n     statement audits)\n\n   \xef\x83\x98 OMB compliance (A-50, 123, 127, and 130)\n\n   \xef\x83\x98 Sarbanes-Oxley\n\n   \xef\x83\x98 SOC reporting (SOC 1 and SOC 2 engagements)\n\n   \xef\x83\x98 PCAOB, CoBIT, COSO, Internal Audit Augmentation\n\n   \xef\x83\x98 Course instruction\n\n   \xef\x83\x98 Technical reviews (e.g. firewalls, vulnerability assessments, etc.)\n\nYour Internal Controls, LLC personnel have serviced Fortune 500 companies, Big 4 Accounting\nFirms, Consulting Firms, Federal agencies, as well as state/local government.\n\nYour Internal Controls was founded by Mr. Jack Heyman, who is Certified Public Accountant,\nCertified Information Systems Auditor, Certified Government Financial Manager, Certification\nand Accreditation Professional, and a Certified Information Privacy Professional. Your Internal\nControls is the exclusive provider of all IT courses on behalf of the Association of Government\nAccountants. There are several IT courses being taught regularly, and amongst those are FISMA\nrelated topics.\n\nMr. Heyman has developed and/or audited over 200 SA&A packages on behalf of many\nagencies such as the IRS, Federal Maritime Commission, Federal Relations Labor Authority,\nGeneral Services Agency, Department of Defense, Department of Justice, and many more. Your\nInternal Controls holds a GSA schedule contract as well for ease of procurement.\n                                                                                             40\n\x0c                         Federal Election Commission\n                           Office of Inspector General\n\n\n\n\nFraud Hotline\n202-694-1015\n                        or toll free at 1-800-424-9530 (press 0; then dial 1015)\n                         Fax us at 202-501-8134 or e-mail us at oig@fec.gov\n             Visit or write to us at 999 E Street, N.W., Suite 940, Washington DC 20463\n\nIndividuals including FEC and FEC contractor employees are encouraged to alert the OIG to fraud, waste,\nabuse, and mismanagement of agency programs and operations. Individuals who contact the OIG can remain\nanonymous. However, persons who report allegations are encouraged to provide their contact information in the event\nadditional questions arise as the OIG evaluates the allegations. Allegations with limited details or merit may be held\nin abeyance until further specific details are reported or obtained. Pursuant to the Inspector General Act of 1978, as\namended, the Inspector General will not disclose the identity of an individual who provides information without the\nconsent of that individual, unless the Inspector General determines that such disclosure is unavoidable during the\ncourse of an investigation. To learn more about the OIG, visit our Website at: http://www.fec.gov/fecig/fecig.shtml\n\n                                    Together we can make a difference.\n\x0c'